Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Hotmail Password Reset Bug Exploited in Wild

UPDATE: Microsoft has issued a temporary permanent fix for a previously undisclosed bug in its MSN Hotmail Web email service that could have allowed remote attackers to reset account passwords.

UPDATE: Microsoft has issued a temporary permanent fix for a previously undisclosed bug in its MSN Hotmail Web email service that could have allowed remote attackers to reset account passwords.

The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with their own values, according to a notice published by Vulnerability Laboratory senior researcher Benjamin Kunz Mejri. It affected Microsoft’s official MSN Hotmail (Live) service. Remote attackers could use the security hole to bypass the password recovery service to setup a new password, according to the notice.

Hotmail is the world’s largest web-based email service provider, touting some 364 million users. The flaw would also allow an attacker to bypass MSN Hotmail’s token-based login protection. According to the Vulnerability Laboratory report, the token protection only checks if input values are empty before blocking or closing the web session. Mejri managed to bypass that feature by entering a string of characters, in this case, ‘+++)-.’

“On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected,” a Microsoft spokesperson told Threatpost via email.

According to a report published on WhiteC0de, the exploit was initially discovered by a Saudi Arabian hacker working for Dev-point.com and was, leaked to hacker forums, where it spread quickly. Despite the quick action to fix the flaw, Whitec0de claims it has been widely used to compromise Hotmail accounts. In turn, unauthorized access to those email accounts was leveraged to gain access to social media, financial, and other accounts linked to those addresses.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.